Security Ouch VestaCP servers hacked !

Revenge · Apr 11, 2018

Their site is working for me.

eva2000 · Apr 11, 2018

Revenge said: ↑

Their site is working for me.
Click to expand...

Forum just came back for me now

hmmm Got 10 VestaCP servers exploited - Page 44 - Vesta Control Panel - Forum

Yesterday I installed 0.9.8-20 on a fresh vultr centos 7.4 everything was fine the whole day until I ran yum update today, centos and vesta had updates so I accepted them and then the server was infected. Now I am afraid to run yum update after installing vesta. So I guess 0.9.8-20 is affected as well.

You can try this yourself, I don't know why yum update had vesta updates when I was already running version 0.9.8-20
Click to expand...

fresh install and still infected ?

Revenge · Apr 11, 2018

eva2000 said: ↑

Forum just came back for me now

hmmm Got 10 VestaCP servers exploited - Page 44 - Vesta Control Panel - Forum

fresh install and still infected ?
Click to expand...

Misinformation i bet. He was not infected and right after update he got it?

People that were infected, cleaned the Trojan and updated, are not complaining about a new infection.

eva2000 · Apr 12, 2018

well not good news from Patrick Williams a well known security person from Rack911. Well good in that VestaCP devs now have a chance to patch these up.

VestaCP zero-day exploit | Web Hosting Talk

VestaCP is pretty bad.

I been hacking on it for the last hour... many vulnerabilities, lol. I will send the details off later to the developers...
Click to expand...

VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 4

Wow, VestaCP is so bad. I mean, so, so, so bad.

I have already found several root level exploits in LITERALLY less than 15 minutes and I'm typing with one hand while I eat with the other lol.

I'm making a list of everything, I'll send off to their developers at some point...
Click to expand...

Revenge · Apr 13, 2018

In VestaCP forum, many people were saying something related to roundcube, that it seemed the exploit was from there.
VestaCP installs Roundcube.

Coincidence or not, yesterday Roudcube released a security update for an injection vulnerability:

Security update 1.3.6 released
11 April 2018
We just published a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin.

See the full changelog in the release notes on the Github download page.

We strongly recommend to update all productive installations of Roundcube with this new version. Updates for older LTS versions will follow soon.
Click to expand...

eva2000 · Apr 13, 2018

From that news and Patrick's i think there's multiple root level exploits in VestaCP so a multi vector attack is probably most likely - all leading to compromise. Will be interesting to see what is revealed vulnerability wise after VestaCP patches everything.

eva2000 · Apr 14, 2018

Patrick's VestaCP security vulnerability report is being sent to VesatCP folks today VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 5

a bit of a clue as to where some of the vulnerabilities are

Lol. I hope to send off a report today. It's so bad.

I sure hope no one has untrusted users on their VestaCP boxes.
Click to expand...

Revenge · Apr 14, 2018

Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

I'll send off more once they fix those.
Click to expand...

eva2000 · Apr 14, 2018

Yup VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 5

edit: just re-read that last line

I'll send off more once they fix those.
Click to expand...

so there's more to come !

robert syputa · Apr 15, 2018

Thanks - great heads up. You bring out the strength of sharing.

Revenge · Apr 16, 2018

eva2000 said: ↑

Yup VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved] - Page 5

edit: just re-read that last line

so there's more to come !
Click to expand...

@eva2000 are you registered in lowendtalk? Im not and they ask for review.

I posted what patrick said in Vesta forum and i received one PM from one of their Dev's with:

Hi, I'm Predrag from Vesta dev team (dpeca on github)

I saw your post that Patrick from Rack911 Labs sent 6 security vulnerabilities to [email protected]

Serghey is unresponsive to me, in last few days... I didn't get from him any information about issues that Patrick found.
He could be on vacation, I'm not sure.

Maybe he didn't respond to Patrick.

If Serghey don't respond to Patrick in next few days, you can say to Patrick that he can send found vulnerabilities to [email protected] - that is our mailing list of few very close team developers, we will fix issues as soon as it's possible.
Click to expand...

Can you pass this message to Patrick?

eva2000 · Apr 16, 2018

Revenge said: ↑

Can you pass this message to Patrick?
Click to expand...

Just passed it on to Patrick/SecNinja on LET

eva2000 · Jun 27, 2018

@Revenge looks like VestaCP hacked again ?

VestaCP again hacked. UPDATE IMMEDIATELY! ?

As many of you must be running Vesta control panel, I just wanted to warn you all that servers running it are getting hijacked. We have already updated our servers and checked also if they have been hijacked. Last time, Vesta servers were participating a botnet and 4 of our servers were responsible for a huge downtime/network disruption at Contabo according to their team xD. If you are noticing sudden slow response on your server, this could be the source. This tutorial can be followed to fix it Unix Trojan.DDoS_XOR-1, Chinese Chicken Multiplatform DoS botnets Trojan - Server Security & Hardening - Admin-Ahead Community
Click to expand...

Seems VestaCP has updated to fix the security issue though 0.9.8-22 (security) - Vesta Control Panel - Forum

believe same ones at

[CLOSED] [Urgent!] Critical Security issue in VestaCP - Vesta Control Panel - Forum

have been HACKED ! by xaxaxa.eu - Vesta Control Panel - Forum

ouch according to VestaCP again hacked. UPDATE IMMEDIATELY!

while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...

in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.

so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.

but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.

those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.
Click to expand...

Revenge · Jun 27, 2018

Yep, it seems. I also noticed now the .21 update was the one that fixed the 6 securities issues the other guy discovered.

eva2000 · Jun 27, 2018

Revenge said: ↑

Yep, it seems. I also noticed now the .21 update was the one that fixed the 6 securities issues the other guy discovered.
Click to expand...

Yeah supposedly fixed IIRC. I updated my VestaCP install from LEMP comparison testing as well to .22.

looks like the v-list-sys-vesta-update script doesn't like being run via full path as opposed to within the script's directory
Code (Text):
/usr/local/vesta/bin/v-list-sys-vesta-updates
/usr/local/vesta/bin/v-list-sys-vesta-updates: line 16: /func/main.sh: No such file or directory
/usr/local/vesta/bin/v-list-sys-vesta-updates: line 17: /conf/vesta.conf: No such file or directory
PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-24
vesta-php    0.9.8  21   amd64  yes   2018-06-10
vesta-nginx  0.9.8  21   amd64  yes   2018-06-10
some web hosts reported their customer's VestaCP installs has been affected by this security issue [Security fix] Running VestaCP? Make sure to update! | Web Hosting Talk

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Security Ouch VestaCP servers hacked !

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

robert syputa Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Security Ouch VestaCP servers hacked !

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

robert syputa Member

Revenge Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

.